fa2 proposal/issue: update_operators not callable via proxy -- sp.sender vs sp.source

[johnnyshankman]

Code:

• https://github.com/teia-community/teia-smart-contracts/blob/main/python/contracts/fa2.py#L263
• https://github.com/teia-community/teia-smart-contracts/blob/main/python/contracts/fa2.py#L273-L274

These blocks force calls to always be done directly via a wallet with the contract and never via a proxy contract. I think this is poor architecture. update_operators is something that should be callable by other contracts for convenience of wrapping things into one transaction for the user, so long as the sp.source address is an operator.

Source of issue: sp.sender becomes the address of the contract that internally called update_operators which is not what we want to check in the instance of an internal call from another contract. I can't see any security issues with such a change, and it increases inter-contract functionality.

This same issue is in the smartpy default template for FA2.

[jagracar]

Hi @johnnyshankman . I'm very sorry i just found about this issue now!

This part is directly taken from the smartpy template. I think verifying only that the source is an operator could be quite risky. Some malicious smart contract could contain inside an entrypoint called by the owner of the tokens a internal call to update the operators of some of their most expensive tokens. The user will not have a way to see that by looking at the operation that is going to execute with their wallet.

At the moment, to do the same action, the exploiter will have to ask the user to execute a batched operation where the update_operator calls will be visible by the user if they inspect the calls using temple wallet, for example.

[jagracar]

I agree that this limits inter-contract functionality, but it think the security implications are more important.